Commit Graph

140 Commits

Author SHA256 Message Date
dad9b3c9fd Accepting request 1003573 from home:pmonrealgonzalez:branches:security:tls
- FIPS: Run the CFB8 cipher selftest without offset [bsc#1203245]
  * CFB8 list of ciphers: GNUTLS_CIPHER_AES_{128,192,256}_CFB8
  * Add gnutls-FIPS-Run-CFB8-without-offset.patch

OBS-URL: https://build.opensuse.org/request/show/1003573
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=74
2022-09-14 15:37:16 +00:00
5fcfc4e55e Accepting request 1003480 from home:pmonrealgonzalez:branches:security:tls
- FIPS: Additional modifications to the SLI. [bsc#1190698]
  * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2().
  * Mark HMAC keylength less than 112 bits as non-approved in
    gnutls_pbkfd2().
  * Adapt the pbkdf2 selftest and the regression tests accordingly.
  * Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch

- FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941]
  * Add new dependency on jitterentropy
  * Add gnutls-FIPS-jitterentropy.patch

- FIPS:
  * Add gnutls_ECDSA_signing.patch [bsc#1190698]
    - Check minimum keylength for symmetric key generation
    - Only allows ECDSA signature with valid set of hashes
      (SHA2 and SHA3)

OBS-URL: https://build.opensuse.org/request/show/1003480
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=73
2022-09-14 08:41:21 +00:00
3796933089 Accepting request 991873 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.7:
  * libgnutls: Fixed double free during verification of pkcs7
    signatures. CVE-2022-2509
  * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
    less than or equal to 255 times hash digest size, to comply with
    RFC 5869 2.3.
  * libgnutls: Length limit for TLS PSK usernames has been increased
    from 128 to 65535 characters
  * libgnutls: AES-GCM encryption function now limits plaintext
    length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
  * libgnutls: New block cipher functions have been added to
    transparently handle padding. gnutls_cipher_encrypt3 and
    gnutls_cipher_decrypt3 can be used in combination of
    GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
    padding if the length of the original plaintext is not a multiple
    of the block size.
  * libgnutls: New function for manual FIPS self-testing.
  * API and ABI modifications:
    - gnutls_fips140_run_self_tests: New function
    - gnutls_cipher_encrypt3: New function
    - gnutls_cipher_decrypt3: New function
    - gnutls_cipher_padding_flags_t: New enum
  * guile: Guile 1.8 is no longer supported
  * guile: Session record port treats premature termination as EOF Previously,
    a 'gnutls-error' exception with the 'error/premature-termination' value
    would be thrown while reading from a session record port when the
    underlying session was terminated prematurely. This was inconvenient
    since users of the port may not be prepared to handle such an exception.
    Reading from the session record port now returns the end-of-file object
    instead of throwing an exception, just like it would for a proper

OBS-URL: https://build.opensuse.org/request/show/991873
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=69
2022-08-01 08:36:39 +00:00
d9b5f828c5 Accepting request 979523 from home:1Antoine1:branches:security:tls
- Update to version 3.7.6:
  * libgnutls: Fixed invalid write when gnutls_realloc_zero() is
    called with new_size < old_size. This bug caused heap
    corruption when gnutls_realloc_zero() has been set as gmp
    reallocfunc.
  * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed
    upstream.

- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory
  corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367,
  boo#1199929).

- update to 3.7.5:
  * add options disable session ticket usage in TLS 1.2 because
    it does not provide forward secrecy
  * For TLS 1.3 where session tickets do provide forward secrecy,
    the PFS priority string now only disables session tickets in
    TLS 1.2.
  * Future backward incompatibility: in the next major release of
     GnuTLS those flag and modifier are planned to be removed
  * gnutls-cli, gnutls-serv: Channel binding for printing
    information has been changed from tls-unique to tls-exporter
    as tls-unique is not supported in TLS 1.3.
  * Certificate sanity checks has been enhanced to make gnutls
    more RFC 5280 compliant:
  * Removed 3DES from FIPS approved algorithms
  * Optimized support for AES-SIV-CMAC algorithms
  * libgnutls: HKDF and AES-GCM algorithms are now approved in
    FIPS-140 mode when used in TLS

OBS-URL: https://build.opensuse.org/request/show/979523
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=67
2022-05-30 08:08:31 +00:00
OBS User buildservice-autocommit
2999cf8c9c Updating link to change in openSUSE:Factory/gnutls revision 138.0
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=63a8f90312822866b3ea2337c8d3e9e8
2022-05-26 20:44:21 +00:00
f5c5f4b0a0 Accepting request 978448 from home:AndreasStieger:branches:security:tls
guntls 3.7.5

OBS-URL: https://build.opensuse.org/request/show/978448
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=65
2022-05-22 09:11:15 +00:00
842d56dac4 Accepting request 976267 from home:msmeissn:branches:security:tls
- disable kcapi usage for now, as kernel-obs-build not adjusted
  to contain the algorithms. bsc#1189283

OBS-URL: https://build.opensuse.org/request/show/976267
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=63
2022-05-16 08:07:25 +00:00
2ab102c19b Accepting request 964661 from home:pmonrealgonzalez:branches:security:tls
- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
  * The IG 10.3.A and SP800-132 require some minimum parameters for
    the salt length, password length and iteration count. These
    parameters should be also used in the KAT.
  * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch
- Enable to run the regression tests also in FIPS mode.

  * Add gnutls-FIPS-disable-failing-tests.patch

OBS-URL: https://build.opensuse.org/request/show/964661
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=61
2022-03-24 12:48:13 +00:00
b1e657b45b Accepting request 962891 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.4:
  * libgnutls: Added support for certificate compression as defined
    in RFC8879.
  * certtool: Added option --compress-cert that allows user to
    specify compression  methods for certificate compression.
  * libgnutls: GnuTLS can now be compiled with --enable-strict-x509
    configure option to enforce stricter certificate sanity checks
    that are compliant with RFC5280.
  * libgnutls: Removed IA5String type from DirectoryString within
    issuer and subject name to make DirectoryString RFC5280 compliant.
  * libgnutls: Added function to retrieve the name of current
    ciphersuite from session.
  * Bump libgnutlsxx soname due to ABI break
  * API and ABI modifications:
    - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
    - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
    - gnutls_compress_certificate_get_selected_method: Added
    - gnutls_compress_certificate_set_methods: Added
  * Update gnutls.keyring

OBS-URL: https://build.opensuse.org/request/show/962891
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=60
2022-03-18 20:01:46 +00:00
7441e8b33b Accepting request 957881 from home:dirkmueller:Factory
- build with lto
- build with -Wl,-z,now -Wl,-z,relro
- build without -fanalyzer, which cuts build time in ~ half

OBS-URL: https://build.opensuse.org/request/show/957881
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=58
2022-03-09 10:49:43 +00:00
3ecf24776c Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
  * libgnutls: The allowlisting configuration mode has been added
    to the system-wide settings. In this mode, all the algorithms
    are initially marked as insecure or disabled, while the
    applications can re-enable them either through the [overrides]
    section of the configuration file or the new API (#1172).
  * The build infrastructure no longer depends on GNU AutoGen for
    generating command-line option handling, template file parsing
    in certtool, and documentation generation (#773, #774). This
    change also removes run-time or bundled dependency on the
    libopts library, and requires Python 3.6 or later to regenerate
    the distribution tarball. Note that this brings in known backward
    incompatibility in command-line tools, such as long options are
    now case sensitive, while previously they were treated in a case
    insensitive manner: for example --RSA is no longer a valid option
    of certtool. The existing scripts using GnuTLS tools may need
    adjustment for this change.
  * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
    and used as a gnutls_privkey_t (#594). The code was originally written
    for the OpenConnect VPN project by David Woodhouse. To generate such
    blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
    https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
    or the tpm2_encodeobject tool from unreleased tpm2-tools.
  * libgnutls: The library now transparently enables Linux KTLS (kernel
    TLS) when the feature is compiled in with --enable-ktls configuration
    option (#1113). If the KTLS initialization fails it automatically falls
    back to the user space implementation.
  * certtool: The certtool command can now read the Certificate Transparency
    (RFC 6962) SCT extension (#232).  New API functions are also provided to
    access and manipulate the extension values.

OBS-URL: https://build.opensuse.org/request/show/947389
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 11:47:02 +00:00
56fc836017 Accepting request 934036 from home:dimstar:Factory
- Drop bogus condition "> 1550": that would mean 'more recent than
  Tumbleweed' which is technically impossible, as Tumbleweed is the
  leading project (and the condition causes issues as Tumbleweed
  needs to move away from 1550 due to CODE 15 SP5 plans).

OBS-URL: https://build.opensuse.org/request/show/934036
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=56
2021-11-26 12:51:30 +00:00
b3497d3134 Accepting request 896474 from home:susnux:branches:security:tls
Update to version 3.7.2

OBS-URL: https://build.opensuse.org/request/show/896474
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=54
2021-06-01 12:42:43 +00:00
a4119f3566 Accepting request 895665 from home:pmonrealgonzalez:branches:security:tls
- Rework the crypto-policies dependencies in libraries [bsc#1186385]

OBS-URL: https://build.opensuse.org/request/show/895665
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=53
2021-05-31 09:16:21 +00:00
8e6db95b50 Accepting request 892936 from home:pmonrealgonzalez:branches:security:tls
- Compute the FIPS hmac file without re-defining the
  __os_install_post macro, use the brp-50-generate-fips-hmac
  script instead. [bsc#1184555]

- Require the main package in devel and lib packages as the default
  priorities are now set via crypto-policies. [bsc#1183082]

OBS-URL: https://build.opensuse.org/request/show/892936
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=51
2021-05-14 14:01:30 +00:00
505327d4f8 Accepting request 878624 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.1:
    [bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231]
  * Fixed potential use-after-free in sending "key_share" and
    "pre_shared_key" extensions.
  * Fixed a regression in handling duplicated certs in a chain.
  * Fixed sending of session ID in TLS 1.3 middlebox compatibility
    mode. In that mode the client shall always send a non-zero
    session ID to make the handshake resemble the TLS 1.2
    resumption; this was not true in the previous versions.
  * Removed dependency on the external 'fipscheck' package,
    when compiled with --enable-fips140-mode.
  * Added padlock acceleration for AES-192-CBC.
- Remove patches upstream:
  * gnutls-gnutls-cli-debug.patch
  * gnutls-ignore-duplicate-certificates.patch
  * gnutls-test-fixes.patch

OBS-URL: https://build.opensuse.org/request/show/878624
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=49
2021-03-15 09:13:41 +00:00
Jason Sikes
3ef6ac322f Accepting request 870946 from home:pmonrealgonzalez:branches:security:tls
Fix multiple build problems

OBS-URL: https://build.opensuse.org/request/show/870946
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=46
2021-02-10 16:11:35 +00:00
Jason Sikes
2aa820b4b7 Accepting request 868673 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.7.0
  * Depend on nettle 3.6
  * Added a new API that provides a callback function to retrieve
    missing certificates from incomplete certificate chains
  * Added a new API that provides a callback function to output the
    complete path to the trusted root during certificate chain
	verification
  * OIDs exposed as gnutls_datum_t no longer account for the
    terminating null bytes, while the data field is null terminated.
    The affected API functions are: gnutls_ocsp_req_get_extension,
    gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
  * Added a new set of API to enable QUIC implementation
  * The crypto implementation override APIs deprecated in 3.6.9 are
    now no-op
  * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
  * Support for padlock has been fixed to make it work with Zhaoxin CPU
  * The maximum PIN length for PKCS #11 has been increased from 31
    bytes to 255 bytes
- Remove patch fixed upstream:
  * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
- Add version guards for the crypto-policies package

OBS-URL: https://build.opensuse.org/request/show/868673
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=45
2021-02-02 17:34:55 +00:00
aa9092da48 Accepting request 858088 from home:pmonrealgonzalez:branches:security:tls
Don't forward to Factory yet, the policy needs more testing

OBS-URL: https://build.opensuse.org/request/show/858088
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=44
2020-12-22 09:48:35 +00:00
2d2be530a7 Accepting request 850542 from home:vitezslav_cizek:branches:security:tls
- Don't forward to Factory yet, the policy needs more testing.

- Use the centralized crypto policy profile (jsc#SLE-15832)

- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
  * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
- FIPS: Add TLS KDF selftest (bsc#1176671)
  * add gnutls-FIPS-TLS_KDF_selftest.patch

OBS-URL: https://build.opensuse.org/request/show/850542
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=43
2020-12-05 17:16:13 +00:00
Tomáš Chvátal
f0593f0832 Accepting request 841257 from home:dimstar:Factory
- Escape rpm command %%expand when used in comment.

OBS-URL: https://build.opensuse.org/request/show/841257
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=41
2020-10-13 05:14:50 +00:00
Tomáš Chvátal
1c961377a9 Accepting request 832939 from home:vitezslav_cizek:branches:security:tls
- Update to 3.6.15
 * libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
   [GNUTLS-SA-2020-09-04, CVSS: medium]
 * libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now
   indicates that with a false return value (!1306).
 * libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked
   accordingly to SP800-56A rev 3 (!1295, !1299).
 * libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than
   the size of the internal base64 blob (#1025).
 * libgnutls: Certificate verification failue due to OCSP must-stapling is not
   honered is now correctly marked with the GNUTLS_CERT_INVALID flag
 * libgnutls: The audit log message for weak hashes is no longer printed twice
 * libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is
   disabled in the priority string. Previously, even when TLS 1.2 is explicitly
   disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is
   enabled (#1054).
- drop upstreamed patches:
  * gnutls-detect_nettle_so.patch
  * 0001-crypto-api-always-allocate-memory-when-serializing-i.patch

OBS-URL: https://build.opensuse.org/request/show/832939
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=39
2020-09-08 11:31:26 +00:00
Tomáš Chvátal
e295d5946a Accepting request 821490 from home:vitezslav_cizek:branches:security:tls
- Correctly detect gmp, nettle, and hogweed libraries (bsc#1172666)
  * add gnutls-detect_nettle_so.patch

  * add gnutls-temporarily_disable_broken_guile_reauth_test.patch

OBS-URL: https://build.opensuse.org/request/show/821490
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=37
2020-07-17 11:26:29 +00:00
Vítězslav Čížek
c3b4211443 Accepting request 812788 from home:vitezslav_cizek:branches:security:tls
- Fix a memory leak that could lead to a DoS attack against Samba
  servers (bsc#1172663)
  * add 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
- Temporarily disable broken guile reauth test (bsc#1171565)
  * add gnutls-temporarily_disable_broken_guile_reauth_test

OBS-URL: https://build.opensuse.org/request/show/812788
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=35
2020-06-09 07:20:47 +00:00
Tomáš Chvátal
8169157125 Accepting request 811391 from home:vitezslav_cizek:branches:security:tls
- Update to 3.6.14
  * libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
    The TLS server would not bind the session ticket encryption key with a
    value supplied by the application until the initial key rotation, allowing
    attacker to bypass authentication in TLS 1.3 and recover previous
    conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
    [GNUTLS-SA-2020-06-03, CVSS: high]
  * libgnutls: Fixed handling of certificate chain with cross-signed
    intermediate CA certificates (#1008). (bsc#1172461)
  * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
  * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
    (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
    Key Identifier (AKI) properly (#989, #991).
  * certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
  * libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
    Also both accelerated and non-accelerated implementations check key block
    according to FIPS-140-2 IG A.9 (!1233).
  * libgnutls: Added support for AES-SIV ciphers (#463).
  * libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
  * libgnutls: No longer use internal symbols exported from Nettle (!1235)
  * API and ABI modifications:
    GNUTLS_CIPHER_AES_128_SIV: Added
    GNUTLS_CIPHER_AES_256_SIV: Added
    GNUTLS_CIPHER_AES_192_GCM: Added
    gnutls_pkcs7_print_signature_info: Added
- Add key D605848ED7E69871: public key "Daiki Ueno <ueno@unixuser.org>" to
  the keyring
- Drop gnutls-fips_correct_nettle_soversion.patch (upstream)

OBS-URL: https://build.opensuse.org/request/show/811391
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=34
2020-06-04 11:03:13 +00:00
Tomáš Chvátal
e21a7d8076 Accepting request 790830 from home:vitezslav_cizek:branches:security:tls
- Use correct nettle .so version when looking for a FIPS checksum
  (bsc#1166635)
  * add gnutls-fips_correct_nettle_soversion.patch

- Update to 3.6.13
  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
support)
    The DTLS client would not contribute any randomness to the DTLS negotiation,
    breaking the security guarantees of the DTLS protocol (#960)
    [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
  * libgnutls: Added new APIs to access KDF algorithms (#813).
  * libgnutls: Added new callback gnutls_keylog_func that enables a custom
    logging functionality.
  * libgnutls: Added support for non-null terminated usernames in PSK
    negotiation (#586).
  * gnutls-cli-debug: Improved support for old servers that only support
    SSL 3.0.

- Split off FIPS checksums into a separate libgnutls30-hmac
  subpackage (bsc#1152692)

OBS-URL: https://build.opensuse.org/request/show/790830
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=32
2020-04-02 10:58:27 +00:00
Vítězslav Čížek
0a5979b677 Accepting request 769920 from home:mimi_vx:branches:security:tls
- gnutls 3.6.12
 * libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
   to identify sessions that client request OCSP status request (#829).
 * libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
   signature algorithm (RFC 8032) under TLS (#86).
 * libgnutls: Added the default-priority-string option to system configuration;
   it allows overriding the compiled-in default-priority-string.
 * libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
   draft-smyshlyaev-tls12-gost-suites-07).
   By default this ciphersuite is disabled. It can be enabled by adding
   +GOST to priority string. In the future this priority string may enable
   other GOST ciphersuites as well.  Note, that server will fail to negotiate
   GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
   is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
   are enabled on GnuTLS-based servers.
 * libgnutls: added priority shortcuts for different GOST categories like
   CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
 * libgnutls: Reject certificates with invalid time fields. That is we reject
   certificates with invalid characters in Time fields, or invalid time formatting
   To continue accepting the invalid form compile with --disable-strict-der-time
 * libgnutls: Reject certificates which contain duplicate extensions. We were
   previously printing warnings when printing such a certificate, but that is
   not always sufficient to flag such certificates as invalid. Instead we now
   refuse to import them (#887).
 * libgnutls: If a CA is found in the trusted list, check in addition to
   time validity, whether the algorithms comply to the expected level prior
   to accepting it. This addresses the problem of accepting CAs which would
   have been marked as insecure otherwise (#877).
 * libgnutls: The min-verification-profile from system configuration applies
   for all certificate verifications, not only under TLS. The configuration can

OBS-URL: https://build.opensuse.org/request/show/769920
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=30
2020-02-04 10:06:09 +00:00
Tomáš Chvátal
9442c2652d Accepting request 753784 from home:AndreasStieger:branches:security:tls
gnutls 3.6.11.1

OBS-URL: https://build.opensuse.org/request/show/753784
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=28
2019-12-04 06:50:10 +00:00
Tomáš Chvátal
862f273c06 Accepting request 737176 from home:AndreasStieger:branches:security:tls
3.6.10

OBS-URL: https://build.opensuse.org/request/show/737176
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=26
2019-10-10 19:56:59 +00:00
Tomáš Chvátal
8ed96b3590 Accepting request 734378 from home:vitezslav_cizek:branches:security:tls
- Install checksums for binary integrity verification which are
  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)

OBS-URL: https://build.opensuse.org/request/show/734378
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=24
2019-10-01 15:18:43 +00:00
Tomáš Chvátal
ef95c81a37 Accepting request 720091 from home:AndreasStieger:branches:security:tls
gnutls 3.6.9

OBS-URL: https://build.opensuse.org/request/show/720091
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=22
2019-07-31 17:35:10 +00:00
Tomáš Chvátal
f11f79c7ae Accepting request 691610 from home:jengelh:branches:security:tls
- Trim useless %if..%endif guards that do not affect the build.
- Fix language errors in description again.

OBS-URL: https://build.opensuse.org/request/show/691610
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=20
2019-04-08 09:25:11 +00:00
Vítězslav Čížek
bdab2e0cbb Accepting request 691550 from home:jsikes:branches:security:tls
Forgot changelog entry.

OBS-URL: https://build.opensuse.org/request/show/691550
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=19
2019-04-04 14:11:38 +00:00
e793cfa4ab Accepting request 671127 from home:vitezslav_cizek:branches:security:tls
- Update to 3.6.6
  ** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
       on the public key (#640).
  ** libgnutls: Added support for raw public-key authentication as defined in RFC7250.
     Raw public-keys can be negotiated by enabling the corresponding certificate
     types via the priority strings. The raw public-key mechanism must be explicitly
     enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280).
  ** libgnutls: When on server or client side we are sending no extensions we do
     not set an empty extensions field but we rather remove that field competely.
     This solves a regression since 3.5.x and improves compatibility of the server
     side with certain clients.
  ** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
       the CKA_SIGN is not set (#667).
  ** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
     disable extensions at all cases, while providing a functional session. This
     also implies that when specified, TLS1.3 is disabled.
  ** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
     The previous definition was non-functional (#609).
- drop no longer needed gnutls-enbale-guile-2.2.patch
- refresh disable-psk-file-test.patch

OBS-URL: https://build.opensuse.org/request/show/671127
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=17
2019-02-04 15:36:51 +00:00
Tomáš Chvátal
6e5080fb38 Accepting request 662795 from home:vitezslav_cizek:branches:security:tls
- Update to 3.6.5
  ** libgnutls: Provide the option of transparent re-handshake/reauthentication
     when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
  ** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
  ** libgnutls: The priority functions will ignore and not enable TLS1.3 if
     requested with legacy TLS versions enabled but not TLS1.2. That is because
     if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
     servers which do not support TLS1.3 will negotiate TLS1.2 which will be
     rejected by the client as disabled (#621).
  ** libgnutls: Change RSA decryption to use a new side-channel silent function.
     This addresses a security issue where memory access patterns as well as timing
     on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
     attacks. Side-channel resistant code is slower due to the need to mask
     access and timings. When used in TLS the new functions cause RSA based
     handshakes to be between 13% and 28% slower on average (Numbers are indicative,
     the tests where performed on a relatively modern Intel CPU, results vary
     depending on the CPU and architecture used). This change makes nettle 3.4.1
     the minimum requirement of gnutls (#630). [CVSS: medium]
  ** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
     in the priority string. It is only accepted as legacy option and is ignored.
  ** libgnutls: Added support for EdDSA under PKCS#11 (#417)
  ** libgnutls: Added support for AES-CFB8 cipher (#357)
  ** libgnutls: Added support for AES-CMAC MAC (#351)
  ** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers
       have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
     S-BOXes). They are fixed now.
  ** libgnutls: Added support for GOST key unmasking and unwrapped GOST private
     keys parsing, as specified in R 50.1.112-2016.
  ** gnutls-serv: It applies the default settings when no --priority option is given,
     using gnutls_set_default_priority().

OBS-URL: https://build.opensuse.org/request/show/662795
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=16
2019-01-04 13:39:42 +00:00
Tomáš Chvátal
87e88269b9 Accepting request 652449 from home:jbrielmaier:guile2.2
- search for guile-2.2 during configure, part of boo#1117121
  add patches:
  * gnutls-enbale-guile-2.2.patch: search for guile-2.2
  refresh patches:
  * disable-psk-file-test.patch: disable psk-file in Makefile.am

The patch should work also with guile-2.0, because configure searches still for guile 2.0 and 1.8

OBS-URL: https://build.opensuse.org/request/show/652449
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=14
2018-11-28 14:42:02 +00:00
Tomáš Chvátal
f8b3d1676a Accepting request 642092 from home:vitezslav_cizek:branches:security:tls
- Temporarily disable failing psk-file test (race condition)
  * add disable-psk-file-test.patch

- Version update to 3.6.4 (bsc#1111757):

OBS-URL: https://build.opensuse.org/request/show/642092
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=12
2018-10-15 17:34:04 +00:00
Tomáš Chvátal
36cac07d0e - Version update to 3.6.4 bsc#1111757:
- Drop upstreamed patch:
  * gnutls-3.6.3-backport-upstream-fixes.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=11
2018-10-15 08:47:20 +00:00
Tomáš Chvátal
60b4dea541 - Version update to 3.6.4:
** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
  ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
     gnutls_certificate_set_retrieve_function() which could not handle the case where
     no certificates were returned, or the callbacks were set to NULL (see #528).
  ** libgnutls: gnutls_handshake() on server returns early on handshake when no
     certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
     is specified.
  ** libgnutls: Added session ticket key rotation on server side with TOTP.
     The key set with gnutls_session_ticket_enable_server() is used as a
     master key to generate time-based keys for tickets. The rotation
     relates to the gnutls_db_set_cache_expiration() period.
  ** libgnutls: The 'record size limit' extension is added and preferred to the
     'max record size' extension when possible.
  ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
     This addresses the problem where the CA certificate doesn't have a subject key
     identifier whereas the end certificates have an authority key identifier (#569)
  ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
     gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
     and export GOST parameters in the "native" little endian format used for these
     curves. This is an intentional incompatible change with 3.6.3.
  ** libgnutls: Added support for seperately negotiating client and server certificate types
     as defined in RFC7250. This mechanism must be explicitly enabled via the
     GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=10
2018-10-15 08:27:49 +00:00
Tomáš Chvátal
65aedfc27d Accepting request 636362 from home:Andreas_Schwab:Factory
- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch
  test/Makefile.in as autoreconf does not work

OBS-URL: https://build.opensuse.org/request/show/636362
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=8
2018-09-18 10:23:08 +00:00
Tomáš Chvátal
3036ffa05f Accepting request 635768 from home:henrix:branches:security:tls
- Backport of upstream fixes (boo#1108450)
  Fixes taken from upstream commits:
  ** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
  ** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
  ** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
  The patch was taken from https://github.com/weechat/weechat/issues/1231

OBS-URL: https://build.opensuse.org/request/show/635768
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=6
2018-09-14 13:30:28 +00:00
Tomáš Chvátal
a081367f85 Accepting request 630992 from home:vitezslav_cizek:branches:security:tls
- Update to 3.6.3
  Fixes security issues:
  CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
  (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
  Other Changes:
  ** libgnutls: Introduced support for draft-ietf-tls-tls13-28
  ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
     earlier and TLS 1.3.
  ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
  ** Provide a uniform cipher list across supported TLS protocols
  ** The SSL 3.0 protocol is disabled on compile-time by default.
  ** libgnutls: Introduced function to switch the current FIPS140-2 operational
     mode
  ** libgnutls: Introduced low-level function to assist applications attempting client
     hello extension parsing, prior to GnuTLS' parsing of the message.
  ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
     modifications to the certificate.
  ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
     which are preferred by the server.
  ** Improved counter-measures for TLS CBC record padding.
     ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
     of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
  ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
     GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
  ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
     gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
     unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
     change for these functions which make them err towards safety.
  ** libgnutls: improved aarch64 cpu features detection by using getauxval().
  ** certtool: It is now possible to specify certificate and serial CRL numbers greater

OBS-URL: https://build.opensuse.org/request/show/630992
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=4
2018-08-23 07:10:46 +00:00
Dominique Leuenberger
31a755e11b Accepting request 626682 from security:tls
OBS-URL: https://build.opensuse.org/request/show/626682
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=111
2018-08-03 10:30:07 +00:00
Yuchen Lin
f1d38dc060 Accepting request 593004 from Base:System
OBS-URL: https://build.opensuse.org/request/show/593004
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=110
2018-04-10 07:48:38 +00:00
Dominique Leuenberger
a4e4513bc5 Accepting request 591143 from Base:System
OBS-URL: https://build.opensuse.org/request/show/591143
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=109
2018-03-30 09:56:05 +00:00
Dominique Leuenberger
bb22a0a779 Accepting request 587401 from Base:System
- gnutls.keyring: Nikos key refreshed to be unexpired

- GnuTLS 3.6.2:
  * libgnutls: When verifying against a self signed certificate ignore issuer.
    That is, ignore issuer when checking the issuer's parameters strength,
    resolving issue #347 which caused self signed certificates to be
    additionally marked as of insufficient security level.
  * libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
    MTU calculation now, it correctly accounts for the fixed overhead due to
    padding (as 1 byte), while at the same time considers the rest of the
    padding as part of data MTU.
  * libgnutls: Address issue of loading of all PKCS#11 modules on startup
    on systems with a PKCS#11 trust store (as opposed to a file trust store).
    Introduced a multi-stage initialization which loads the trust modules, and
    other modules are deferred for the first pure PKCS#11 request.
  * libgnutls: The SRP authentication will reject any parameters outside
    RFC5054. This protects any client from potential MitM due to insecure
    parameters. That also brings SRP in par with the RFC7919 changes to
    Diffie-Hellman.
  * libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
    for SRP authentication.
  * libgnutls: Addressed issue in the accelerated code affecting
    interoperability with versions of nettle >= 3.4.
  * libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
  * libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
    Vitezslav Cizek).
  * srptool: the --create-conf option no longer includes 1024-bit parameters.
  * p11tool: Fixed the deletion of objects in batch mode.
- Dropped gnutls-check_aes_keysize.patch as it is included upstream now.

OBS-URL: https://build.opensuse.org/request/show/587401
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=108
2018-03-16 09:33:36 +00:00
Dominique Leuenberger
e8abc4150e Accepting request 580155 from Base:System
OBS-URL: https://build.opensuse.org/request/show/580155
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=107
2018-02-28 18:55:27 +00:00
Dominique Leuenberger
5886f877a6 Accepting request 574115 from Base:System
OBS-URL: https://build.opensuse.org/request/show/574115
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=106
2018-02-12 09:09:02 +00:00
Dominique Leuenberger
4d1ca43878 Accepting request 539293 from Base:System
OBS-URL: https://build.opensuse.org/request/show/539293
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=105
2017-11-10 13:40:23 +00:00
Dominique Leuenberger
ca879abd51 Accepting request 528289 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/528289
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=104
2017-09-25 11:50:29 +00:00